EA website hacked to steal Apple IDs and credit cards

The Electronic Arts website is probably the last place you’d expect to find an Apple login page, but that’s where this one turned up. Hackers managed to compromise an EA subdomain, which they then turned into an identity theft machine built to mimic the Apple ID sign-in.

It’s an odd pairing, and keen-eyed web surfers would surely notice something’s fishy (phishy?) is going on if they landed on the page. As obvious as it might seem to you or me, however, these attacks work — and they work often enough for criminals to keep sniffing out vulnerable servers that they can breach and manipulate. Two years ago, Sony found a similar phish set up on one of its servers.

Security researchers at Netcraft believe that the EA server that was attacked was running an outdated version of a calendar web app. The bad guys tiptoed in through the back door, set up shop using page elements ripped right from the Apple website. It’s a convincing illusion, especially if the person looking at it doesn’t think to check the address bar.

The first page snags a victim’s Apple ID and password. Unwittingly handing over the keys to your Apple account is bad enough, but phishers aren’t generally the kind who stop kicking a guy when he’s down. A second page claws for additional info: credit card number and CVD, date of birth, and even his/her mother’s maiden name. The goal is to build as detailed a profile as possible, so that other accounts — like Facebook, webmail, and online banking — can be breached.

When it’s all done, the fraudulent site on EA’s server dumped victims out on Apple.com, where they’d be left scratching their heads and wondering what just happened.

Fortunately, Netcraft has already passed the URL along to others in the security business and this particular phish has been blacklisted. EA’s also updated their server and taken care of the vulnerability that allowed it to be compromised. There will be others, though. The criminals responsible will move on and find another reputable site like EA that they can use to ambush users.